The Biggest Threat? It May Be You

When it comes to virtual server security, you might just be the weak link. Or, more precisely, your lack of planning, maintenance, and governance of that VM server farm.

We're halfway through 2009, and still no reports of production hosts being hyperjacked, leaving servers at the mercy of a compromised hypervisor. So what about all those dire 2007 predictions of virtualization-fueled havoc from third-party APIs, virtual NIC drivers, guest escalation breakouts, or compromised hypervisors? Anyone?

The only real-world vulnerability related to virtualization that's been reported for a major vendor was Microsoft's hypervisor privilege escalation vulnerability on the embedded hypervisor running Xbox 360s from the 2006 model year. No vulnerabilities have hit Hyper-V or Virtual PC.

As virtualization has gone mainstream and virtual machines have sprawled across data centers over the past few years, IT and security pundits repeatedly raised the bogeyman of compromised hypervisors. Black Hat seminars continue to debate potential risks and exploits. Gartner predicted there would be a hypervisor vulnerability worthy of a patch by the end of last year. Did any of the 19 security patches that VMware released in 2008 count as patch-worthy? Of course they did. Whether any of them patched a likely real-world exploit is up for debate.

The reality is that virtualization is simply software. Tightly written bundles of highly efficient code, designed with a hard crunchy shell, but software nonetheless. As with any complex, widely adopted program, there have been code and design flaws, and there will be more.

Given that, what are the likely threats? Virtual servers are just servers. The hardware abstraction and flexibility inherent in virtualization yields untethered VMs that are easy to create, deploy, shelve, and, well, even lose track of. The biggest threats to your virtualized world aren't bad guys wielding BIOS viruses, mythical blue pills, or a dastardly new method of usurping control of underlying host platforms. Rather, the weakest link is your own lack of planning, care, maintenance, and governance over your Wild West, devil-may-care VM farm.

Shore Up Standard Defenses
There's a long list of security concerns in small and large virtualized shops. You should be concerned about potential exploits allowing guest VMs to break out of their jails and into the host or hypervisor tier, says Greg Shipley, CTO at information security consulting firm Neohapsis, but you should be more concerned about unpatched guest VMs lurking forgotten on a test host or shuttling from host to host via poor live migration rule sets. Hyperjacking and intrahost risks are concerns, "but is that the right battle to fight?" he asks.

Just about everyone can benefit from basic risk management thinking, where the likelihood of a threat is plotted against the potential impact and remediation effort and cost, Shipley says. Most companies have basic security design and infrastructure concerns that arch over physical and virtualized environments. As boring as it sounds, addressing those security concerns will have a greater impact on overall safety than any single-purpose VM tool. Put another way, focusing on VM-specific solutions is premature if your physical shop is at risk.

Any unpatched server is a security risk, and a test or production VM, with management authority delegated to a business unit or development team, is a serious risk. Even if you have an automated patch management system or a formal in-house patch management strategy, you probably aren't 100% certain that all your VMs' OS and application instances are up to date. Attackers will probe your network for common exploits, and an unpatched Win2K3 server with a known hole is an easy mark. Bad guys don't care if the server is physical or virtual. They're just looking for exploitable targets.

Traditional automated patching strategies don't take offline servers into consideration. In the physical world, a dark server is a dead one. But in the virtual world, suspended or archived servers can be updated via virtualization-aware patch management tools. VM templates and base images also have to be maintained and patched. Lacking these tools, shops should vet each VM to check for currency and compliance, applying all patches before releasing a guest server to production.

Newest First  |  Oldest First  |  Threaded View